Checklist for team leaders

Establish policies and processes

  • Review telework agreements and policies to ensure they comply with your agency’s information security policies.
  • Create a clear, written data handling policy that accounts for realities of working outside a physical office (e.g., working on the laptop in view of family members).
  • Enforce personal privacy requirements for records.
  • Keep all policies accessible in a place where everyone knows to look for them (like Confluence or other team collaboration tool).
  • Track removal and return of potentially sensitive materials, such as personnel records.

Enforce secure login practices

  • Choose a password manager and make sure teams adopt it for secure, unique passwords across all logins.
  • Enforce two-factor authentication across agency systems and employee logins.
  • Provide training on use of password management and two-factor authentication (this can be a simple half-day workshop to onboard everyone to the tools and practice using them).
  • Explicitly forbid the use of passwords written on sticky notes or browser auto-fill passwords for agency system logins.

Ensure secure systems access for teams

  • Set up a Virtual Private Network (VPN) for secure internet connection, and confirm that your employees can access it from their homes.
  • Make sure the right employees can securely login and access systems remotely (this can mean expanding access for some employees and limiting it for others).
  • Consider reimbursing employees if they need to use their mobile hotspot for remote systems access.

Provide security training

  • Information systems security training (can be provided by third-party vendor)
  • Workshops for setting up and using password manager and two-factor authentication
  • Training on recognizing and avoiding phishing attacks (here’s a simple quiz you can use to test employee awareness)

Checklist for teams

Beware of phishing / malware / hacking

  • Emails that ask you to confirm personal information
  • Email addresses or websites that don’t look genuine
  • High-intensity subject lines or messaging (i.e., “Urgent COVID Directive!”)
  • Don’t open attachments you don’t recognize

Use secure login practices

  • Onboard to the password manager tool your team is using
  • Set an example to others if your team isn’t collectively using a password manager (and perhaps offer to lead a one-hour workshop to help colleagues get set up)
  • Avoid browser password autofill or writing passwords on sticky notes

Protect your devices and hardware

  • Enable remote lock-out and re-set on your phone / laptop
  • Require password entry on power-up and login
  • Close laptop and remove CAC / PIV card when not in use
  • Encrypt hard disks (and wipe disks before giving away or discarding)
  • Never leave devices in the car or out of your sight
  • Lock your doors when you leave the house
  • Don’t use a thumb drive unless you know where it came from

Practice good security habits

  • Comply with organizational policies and with any additional requirements spelled out in your telework agreement.
  • Use only your agency services and tools for email, file sharing, and other work activities – not your personal accounts.
  • Avoid unsecured WiFi in public places when working on sensitive information (mobile phone hotspot is also not entirely secure). Use agency VPN for secure connection.
  • Keep software and systems up-to-date – the latest version will always have the best security fixes. This includes:
    • Cell phone operating system
    • Web browser
    • Laptop / computer operating system
    • Web tools and apps (video conferencing, etc.)


Password management

Two-factor authentication








Get customizable training for small or large groups at your agency on remote / telework best practices.


Get personalized coaching and implementation help for building effective distributed government teams.


Get one-on-one consulting for orientation on telework policies and best practices, along with recommendations for your agency.